Back to skill
Skillv1.0.0
ClawScan security
MH summarize · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 6:18 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a CLI-based summarization tool; it asks for the summarize binary (installable via a Homebrew tap) and optionally uses user-provided model API keys — nothing in the instructions indicates unexpected or unrelated access, but verify the brew tap and provider keys before installing.
- Guidance
- This skill is an instruction-only wrapper around a CLI tool. Before installing or using it: (1) verify the Homebrew tap 'steipete/tap' and inspect the formula/source so you trust the binary you will install; (2) be mindful that summaries/transcripts may be sent to whichever model provider you configure — only provide API keys you trust and consider using limited-scope or expendable keys for testing; (3) the tool may read a per-user config file (~/.summarize/config.json) and optional tokens (FIRECRAWL/APIFY) — review that file after installation; (4) if you need stronger assurance, run the binary in a restricted environment (container or sandbox) and audit network traffic to see which endpoints it contacts before using it with sensitive content.
Review Dimensions
- Purpose & Capability
- okName/description ask for a summarization/transcription CLI and the declared requirement is exactly the 'summarize' binary. The Homebrew formula and the CLI flags described in SKILL.md are coherent with the stated purpose.
- Instruction Scope
- noteSKILL.md provides concrete CLI usage and flags and does not instruct the agent to read unrelated system files or secrets. It does reference a per-user config (~/.summarize/config.json) and optional API keys (OpenAI/Anthropic/xAI/Gemini, FIRECRAWL/APIFY) which is expected for a tool that forwards content to model providers or extraction services; the agent will need to run the summarize binary and may send data to third-party APIs depending on configured keys.
- Install Mechanism
- noteInstall is via Homebrew formula steipete/tap/summarize. Homebrew installs are lower-risk than arbitrary downloads, but this is a third-party tap (not an official core formula). Verify the tap/author and the formula's source before installing to ensure the binary does what you expect.
- Credentials
- noteThe skill declares no required environment variables, but the docs list several optional API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, FIRECRAWL_API_KEY, APIFY_API_TOKEN). Those are proportionate to a tool that can call different model/extraction providers — only supply the keys you trust and that are necessary for the provider you intend to use.
- Persistence & Privilege
- okalways:false (no forced persistence). The skill is instruction-only and uses an optional CLI binary; it does not request escalation or modifications to other skills or system-wide agent settings.